Azure Virtual Secure Administration Workstation – Part 2 – Firewalls and VNets

Azure Secure Admin Workstation posts:

• Part 1 – VDI Environment
  • Resource Group, Host pool, Workspace, Application Group, created an Entra Group with the ‘Desktop Virtualization User’ role and tie them all together.
• Part 2 – Firewalls and VNets
  • Vnets, Subnets, IPs AzureFirewalls, Routes, FW rules etc.
• Part 3 – Session hosts and access
  • Adding our SAW VM to the HostPool, connecting and authenticating
• Public GitHub project:
  • zoak-solutions/AzureVirtualSAW (github.com)

Context and References

• Azure Firewall denies all traffic by default, until rules are manually configured to allow traffic.
  • Azure Firewall rule processing logic | Microsoft Learn
• Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. These FQDNs are specific for the platform and can’t be used for other purposes. For more information, see Infrastructure FQDNs.
  • Deploy and configure Azure Firewall using Azure PowerShell | Microsoft Learn
• Your session hosts and users need to be able to connect to the Azure Virtual Desktop service. These connections also use TCP on port 443 to a specific list of URLs. For more information, see Required URL list. You must make sure these URLs aren’t blocked by network filtering or a firewall in order for your deployment to work properly and be supported. If your users need to access Microsoft 365, make sure your session hosts can connect to Microsoft 365 endpoints.
  • Prerequisites for Azure Virtual Desktop | Microsoft Learn

Deployment procedure

Stage 2 – Create Azure Network Components

• This section provides context for the PowerShell commands are below… strongly suggest reviewing description of steps first.

Procedure

Primary source for this bit: Deploy and configure Azure Firewall using Azure PowerShell | Microsoft Learn

• Noting Azure states that for ‘production’ deployments, a hub and spoke model is recommended, where the firewall is in its own VNet.
  • For our use case, I don’t believe the hub and spoke model will provide any benefit regarding security or otherwise.

1. Create a Vnet and add FWsubnet + SAWsubnet
   • NOTE: The AzureFWSubnet must be a /26
2. Create a Public IP Address for the Azure FW and deploy the firewall
3. Create a route table and associate routes to SAW subnet ensuring SAW traffic is routed via the Azure Firewall
4. Create rules for outbound internet connectivity, some MS doc still has commands for deploying Application and Network firewall rules directly on the Azure Firewall despite the Azure Well-Architected Framework review – Azure Firewall | Microsoft Learn stating that Azure Firewall Manager and Policies should be used
   • … so the PowerShell script below has been updated to create an Azure Firewall Policy instead of assigning rules directly to the firewall

PowerShell

• Assumes using an appropriately authenticated user with sufficient privileges
• Working with prep for automation:
  • zoak-solutions/AzureVirtualSAW (github.com)
    • Source file below: AzureVirtualSAW/scripts/CreateSAWNets.ps1 · GitHub